Files
crewAI/.github/workflows
Rip&Tear de4b55cf79 ci: whitelist nltk PYSEC-2026-597 in pip-audit (no fix available)
nltk 3.9.4 path-traversal advisory (percent-encoded sequences bypassing
the data.load()/find() check; incomplete fix for nltk#3504). 3.9.4 is the
latest release and the advisory lists no fixed version, so the pin cannot be
bumped to clear it. nltk is transitive via unstructured and crewai never
calls nltk.data.load()/find() with untrusted input. Mirrors the existing
PYSEC-2026-97 nltk ignore.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-03 15:22:09 +08:00
..